TeelTech - Advancing Mobile Device Forensics (online version)

  • View

  • Download

Embed Size (px)

Text of TeelTech - Advancing Mobile Device Forensics (online version)

  • Advancing Mobile Device Forensics

    Instructor: Mike Felch

  • Introduction

  • Lunch & Learn Introduction

    If you rely on tools

    Your examinations have probably missed critical data

    You may not have been able to examine certain devices

    You may have missed data from apps, especially the latest apps

    You found some data but exhausted yourself parsing it out

  • Lunch & Learn Content

    Using a practical example of an investigation involving uncovering digital artifactsusing new techniques, we will identify data that was unrecoverable or overlookedby traditional forensic tools.

    Reverse Engineering Data StructuresAfter a brief overview of Hex Editor Neo and regular expressions; we will manuallyexamine a binary image acquired from a mobile device in our simulatedinvestigation.

    Introduction to Programming with PythonWe will cover some high-level Python overviews such as variables, loops, conditions,slicing, and saving files. Just enough to demonstrate the ease and power of Python!

    Python Programming for Mobile ForensicsAfter learning some basics in Python, we will write some scripts to extract artifactsfrom mobile devices and then save the output as evidence for our investigation.

  • Learning Goals

    At the end of this event, you will have experienced:

    Going beyond push-button forensic tools, which is required to stay relevant

    There is power in understanding binary data

    Python programming is actually easier than it seems

    No previous programming background is required

    By the end of the day, you will have learned a basic understanding of how toapply reverse engineering and programming techniques for use in day to daymobile device examinations

  • About Mike

    Information Security Engineer, Computer Programmer, High-Tech Crime Researcher, and CSIRT Manager in the private sector

    14+ years of programming experience & reverse engineering Mostly Linux, Windows, Mobile, and Web

    Career: Infosec w/ focus in offensive strategies, surveillance, & cyber-attack

    attribution Sr Software Engineer with enterprise experience Systems Engineer w/ defense contractor in the aerospace industry

  • Staying RelevantBridging the gap between mobile forensics and advancing technology

  • The Problem

    Technology is leaving mobile device forensics behind, and the reliance on traditional tools is further separating the ability to acquire evidence.

    Privacy applications destroying content upon viewing

    Unsupported devices & applications

    Proprietary encryption & device passwords

    Mobile application updates rendering tools useless

    the list goes on

  • The Problem: Privacy Applications

    Apps are destroying data making it unrecoverable

    Developers are removing themselves from the equation

    SnapChat Erasing pictures after they are viewed

    Cyberdust End-to-End encryption of messages

    Kakao Chat Overwriting messages when they are deleted

    Whisper Anonymized content

    TextSecure End-to-End encryption of text messages

    RedPhone End-to-End encryption of phone calls

    plus many more...

    The more and more apps built around privacy, the less and less data that will be acquired using industry leading tools

  • The Problem: Lack of Support

    Unsupported Devices Unsupported Applications

    Devices are constantly being released and the numberof models make it impossible for tools to supporteverything.

    New apps are being released every day and supportfrom tools can take months. By the time they aresupported, updates sometimes break the support.

    Cellebrite Physical Analyzer

    World Leader in Mobile Forensics 4:cast Forensic Tool of the Year Since 2012 Known for Fastest Adoption of Phone & Apps Industry Standard

    79,168 Devices w/o Physical Extraction Support

    424,826 Total Devices

    19% of Devices Arent Supported

    thats 1 in 5 Devices Require JTAG / Chip-Off!

    SnapChat Example

    25 Updates Since January 17th, 2014

    100 Million to 500 Million Installs

    700 Million Photos/Videos Sent Per Day

    Forensic Tools Overlook Images!

  • The Solution

    You dont need a programming background!

    Dont just learn the process, learn the technology

    Dont be intimidated, its much simpler then it looks

    Break large complex problems into smaller solvable parts

    Research new methods, apps, and devices

    Embrace the power of programming

  • The Result

    You will become a critical asset!

    Increased value to your department or agency

    Much more confident as a forensic examiner

    Programming experience is valuable outside of forensics

    Uncover methods that impact the global forensic community

    Solve cases that may have otherwise gone unsolved

  • The Requirement

    It takes a commitment!

    Commit to spending 1 hour a day for 30 days using Python

    Dont try to learn the language, learn what you need

    Spend time searching and finding messages in binary data

    Think about how to tell the computer to parse the data you need

    Dont give up! Ask questions and embrace the community

  • 15 Minutes of Open Dialogue

    What are some new problems facing mobile device forensics?

  • Overview of Technologies

  • Overview of Technologies

    We will be looking at just a few technologies

    Hex Editor Neo

    Regular Expressions

    Python v3

    Cellebrite Physical Analyzer Scripting Engine

  • Overview of TechnologiesHex Editor Neo

  • Hex Editor Neo

    Typical hex editor but with advanced capabilities

    Identify data within multi-gigabyte files

    Handles lots of data like ASCII, hex, decimal, and binary

    Direct access to physical and logical disks, and even memory

    Extremely portable, doesnt require full installation

    Very fast advanced searching

    Multiple selections simultaneous

  • Hex Editor Neo

    Simple Layout

  • Hex Editor Neo

    Simple Layout: Multiple Selections in 4gb Binary Phone Image

  • Hex Editor Neo

    Expert Layout

  • Overview of TechnologiesRegular Expressions

  • Regular Expressions (regex)

    What is a regular expressions? A special text string used to find a pattern

    When should we use regular expressions? We know what the structure looks like but are unclear of the data

    Where can I find help? Help > Contents > Hex Editor Neo Definitive Guide > Regular

    Expressions > Regular Expressions Syntax

    Lets take a look at an example...

  • Regular Expressions (regex)Sample RegexD i r e c t C h a t \ [ \ d { 9 } \ ] \ [ \ d { 9 } \ ] . * \ d { 1 8 } \ ] . * \ d { 9 }

    Sample MessageDirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029]

    abc Search for exact text[abc] Search for a, b, or c text

    \d Search for a digit\d{10} Search for ten digits

    \[ Search for the character [

    * Match 0 or more repetitions. Match any character except new line

    * Backslash escapes the following character

  • Regular Expressions (regex)Sample RegexD i r e c t C h a t \ [ \ d { 9 } \ ] \ [ \ d { 9 } \ ] . * \ d { 1 8 } \ ] . * \ d { 9 }

    Sample MessageDirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029]

    abc Search for exact text[abc] Search for a, b, or c text

    \d Search for a digit\d{10} Search for ten digits

    \[ Search for the character [

    * Match 0 or more repetitions. Match any character except new line

    * Backslash escapes the following character

  • Overview of TechnologiesIntroduction to Python

  • Introduction to Python

    Comparing Data

    Basic Math Operations



    Logical Conditions


    Code Structure

    Saving Data

  • Python: Comparing Data

    Operator Meaning

    < Less than

    Greater than

    >= Greater than or equal to

    == Equal (note two equal signs)

    != Not equal

    Operator Meaning Example

    Or True if either argument is true True or FalseTrue

    And True if both arguments are true True and TrueTrue

    Not Opposite Not FalseTrue

  • Python: Basic Math Operations

    Operator Description Example Result

    + Sum 1+1 2

    - Difference 2-1 1

    * Product 2*3 6

    / Quotient 5/24/2


    x = 3+7

    x = 4*9

    x = 20/2

    x = 44-1

  • Python: Variables

    Used to track data within our program Variables are containers for our data

    We store and change the values within the variable

    We select the names of the variables Names are case sensitive

    Cant use certain words: if, for, while, etc.

    Assign data with the equals signmyVariable = 1

    Assignments can include calculationsmyVariable = 12 + 34

  • Python: Slicing

    myString[0:7] Gets first 7 starting at index 0Slicing

    myString[:7] Gets first 7 from beginningSlicing

    myString[7:] Gets remaining starting at index 7Txt

    myString[2:7] Gets 5 starting at index 2 to index 7icing

    myString[-5:-3] Gets 2 starting at index -5 to index -3ng

    0 1 2 3 4 5 6 7 8 9

    S l i c i n g T x T

  • Python: Logic Conditions

    if :

    if x == 7:

    print(The number is 7!)

    Control the flow of execution by making conditional statements whichdecide whether indented statements get executed.



  • Python: Loops usin